1

Secure Electronic Medical Records (EMR)

Sahar Almenwer

04/23/2021

Introduction:

The electronic medical record (EMR) comprises the standard clinical and

medical data collected by physicians. EMR is a digital version of storing patient's

data, which includes the history of patients for convenience and easy access. The

EMR information system enhances the overall quality of care in the hospital
 2

setting. However, patient privacy protection has been a challenge for a long time in

the health care sector. Confidentiality of the EMR has been the main security issue.

Therefore, EMR is crucial and requisite for computer security in the health care

industry. Availability, integrity, together with confidentiality of important data

networks, databases, and software systems are areas of main concern in the entire

sector. Unauthorized disclosure, theft, or corruption of corporate resources disrupt

various operations of a hospital which in return can result in serious safety,

privacy, and public confidence impact. Since the field of medicine has experienced

tremendous changes as well as in the structure of the health care organization,

patient privacy should be expanded through cryptography algorithms to ensure

secure medical records.

The application of electronic medical records in the health care sector

requires that issues of data security and patient privacy be analyzed so that

practices, policies, and approaches applied in handling health information consider

the vulnerabilities entailed by the system. The health care industry ought to ensure

that there are set mechanics to protect the information as they collect, process, and

store more health information in digital form. Consequently, many health

organizations can provide EMR solutions. The basic strategy of ensuring privacy

for the patient’s information in the systems of today is through access control

(Dubovitskaya & Wang, 2017). For a system that completely depends on access
 3

control, the servers storing data run a specific program for access control which

gives verification that any person accessing the healthcare records of a patient has

the necessary permission. The established systems for access control maintain a

log of every access and ensure that communications are encrypted securely. This

has been a fairly effective approach to ensure the privacy of the EMR. However,

patients ought to have trusted in the third party who is keeping their data with their

confidential health record. Once the EMR system is compromised the secret

information of the patients is revealed.

Therefore, considering the weakness associated with the access control, it

important for the EMR system to encrypt the record of patients on top of the access

control measures put in place. However, the challenges arise of the who is

supposed to hold the decryption keys, When the key is kept in the server, then it

will be equally vulnerable to compromise issues and theft that can potentially

challenge access since the key can be stolen together with the encrypted

information. Thus, for privacy, each patient is supposed to generate their

decryption key and use the key during the encryption of their records

(Dubovitskaya & Wang, 2017). Establishing encryption mechanisms with strong

elements of security ensures privacy of the patients is maintained. However,

employing easy scheme of encryption interferes with how the health care system is

desired to function. Specifically, it is critical to apply encryption and still support

such desired functions as enabling users to do different queries in their records

together with having other to share the access rights with. An EMR system should

consider an encryption scheme that make patients delegate partial decryption rights

as well as be able to search for their health information.

Patient Controlled Encryption

Patient-controlled encryption (PCE) design is a solution to protect and

privately store the medical records of patients. PCE enables the patient to share

records among healthcare providers and doctors selectively. The hierarchical

encryption system is the base of PCE design. The patient stores a root private and

subkeys are derived from it. Therefore, the patient can distribute the subkeys

selectively for decrypting different categories of record. PCE designs patient’s

medical data from being accessed by unauthorized parties. The design is associated

with the cryptography storage file system (CSFS) problem (Dubovitskaya &

Wang, 2017). This problem comprises situation where documents are encrypted

before they are stored in the server which is not trusted. However, the approach of

applying a hierarchical encryption scheme is different from the traditional CSFS

strategy in that the encryption in hierarchical PCE enforces the access structure.

Consequently, the number of keys needed for storage is reduced tighter with

guaranteeing consistent access rights if various individuals write to the same

category of a record. Additionally, PCE design controls the type of access

structures owned by a party in the health care system.

In an EMR system, the physicians, patients, as well as devices in the medical

sector can upload records and retrieve them at the time of their wish. Also, patients

are entitled to give rights of access to other people who can access or edit some

sections of their records. The involved parties can agree to do searches through an

effective way regarding some section or on the entire record (Wu & Du, 2019). A

high-level PCE system enables patients to derive subkeys using their decryption

key that allows their delegates to access and search only specific sections of their

record. PCE is aimed at establishing strong security specifically to guarantee the

privacy of patient’s data. The patients should be made to believe that the

administrators cannot access anything regarding their health records. Also, PCE

aims to ensure security if the server is comprised such that patients should be

specific that their data is not revealed. Additionally, PCE focuses on ensuring that

the health record is correct, and the patient can verify that the data is intact.

Maintaining functionality is another goal of the hierarchical PCE design where the

wants to ensure security without inferring with the functionality of the server (Wu

& Du, 2019). This indicates that the system ought to ensure patient’s health records

are access efficiently, efficient searching over records, and easy sharing of sections

of the record.
 6

Patient Health Structures

The PCE design assumes that an electrical medical record has data structure that is

hierarchical. Different formats can be employed to decompose patients’ records into a

hierarchical structure through the using of various ontologies. For example, at the top level, a

record can be decomposed into high-level sections like medical records, dental records, mental

health data, and a section for all lab results associated with a specific patient. In this case, the

medical category can be further be subdivided into subsections for primary medical information.

Also, these categories can be grouped based on the clinic which gave the care, then based on the

date and the doctor who was involved. (Vimalachandran & Kuang, 2017). The most important

aspect of PCE design is that patients must be to give access to any subset of these categories. For

example, the patient may wish to send the whole record to the doctor, but she does not wish to

allow the pharmacist to access more information that is required.

Therefore, a hierarchical PCE system provides a design for a patient to give access to

certain parts of the record. The patient will generate a secret key referred to as the root key as

described above. After this, the patient can use the secret key to derive subkeys from different

sections and subsections of data. The data of every subsection will be encrypted by the

corresponding subkey. Consequently, the patient derives the subkey corresponding to it and

after sends it to the doctor to permit reading rights of the specific category of data

(Vimalachandran & Kuang, 2017). In a hierarchical PCE design system, a party will have no

rights to access any category data unless the patient provides the corresponding subkey. The

server has no access to the secret key nor access any of the subkeys given to the doctor hence not

read any data. The hierarchical structure can be expanded such that the patients can include

additional subcategories in any of the existing categories. The patient can delegate access to a
 7

section of data without being aware of all kinds of documents that can be involved in it at last. In

the same way, doctors can include names arbitrary without being assisted by the patient.

Basic Patient-Centered Encryption

The PCE system designs require properties that ensure that the system function in the

desired way. There are four algorithms contained in the PCE design. PCEKeyGen is one

algorithm used to derive a root secret key as well as a public key for the patient. PCEKeyDer is a

key derivation algorithm that is responsible for taking a secret key belonging to a specific

category and name of one of its subcategories, then gives that subcategory the secret key. Enc is

an encryption algorithm that takes either a secret or a public key for the category, the name, and

encrypts the file for the category (Shahnaz & Khalid, 2019). Dec is the decryption algorithm that

takes the name and the secret key of a category together with the ciphertext encrypted for that

category and decrypts the file. Correctness confirms that a document that is correctly encrypted

will successfully be decrypted if the right decryption is provided. Security on the other hand says

that an encrypted file in a specific category will not reveal any data regarding that file provided a

decryption key has not been given to an adversary for an ancestor category.

Consequently, the health information server is responsible only for storing files that has

been encrypted. If a patient wants to delegate access for the doctor to read a certain category of

data, the patient runs PCEKeyDer to derive the right subkey and passes it to the doctor. As result,

the doctor will be able to access the whole encrypted file in that specific category and decrypt it

using that subkey. Since the searching mechanism employed by the PCE scheme is efficient it

should ensure several properties. The mechanism should ensure searchability which makes the

system give results that match the question. The search mechanism should also guarantee privacy
 8

such that the patient can search without telling the server any information (Shahnaz & Khalid,

2019). Thus, the server should be aware of anything regarding what is being searched. The server

is only supposed to know the files that has been encrypted that must be given back. Then, the

server can examine whether the search matches string in the database. However, this happens

without the serve seeing the string and instead, a test algorithm is set which takes a query that is

encrypted together with a set of strings that are encrypted and if they match it returns true.

This process reveals no other information and it can guarantee that the server will not

learn the string even after given the encrypted query or any other information outside the

ciphertext matches. The PCE design integrates patient-controlled encryption with the idea of

searchable encryption. The PCE design embraces the use of symmetrical key where an individual

ought to know the decryption key to encrypt any data. Therefore a symmetrical key PCE design,

anyone who can encrypt for any category has the potential to decrypt for the same category. This

means that the patients will have to give the doctor the appropriate decryption key for a specific

category to upload data in this category (Baek, 2019). Additionally, the doctor will be allowed to

read any information in that category. This scheme tends to be more efficient apart from having

stronger privacy guarantees. The schemes ensure the efficiency of searching where the time for

searching is proportional to the numbers of files returned as well as the number of categories

searched. Also, it comprises secure searchability in which it guarantees that the only data an

adversary knows is which files are returned in every query. Apart from that, the only individuals

who can know anything regarding the encrypted data or the equerries are those already with

access to the required file. Secure label hiding is ensured in symmetrical PCE system which

protected the patient's information from active attackers. This makes encrypted files be accessed

by the only parties who have been granted permission.

Key management is critical to ensure that patient's data remains secure and private. The

patient should be entitled to key revocation to change keys through decrypting sections of their

record and re-encrypting with new keys. This is recommended when a patient experienced a key

compromise or wishes to stop accessing health records for a specific provider, or another proxy,

or a family member. To enhance more security, the emergency response should be developed

where a patient is given a go-ahead to wear an enhanced medic-alert device to provide

information in case someone tries to enter their account (Baek, 2019). Patients should be allowed

to escrow keys when establishing their accounts. The escrowing process is done either

professionally in a form way or informally through a threshold scheme or by sharing keys with

family members. Alternatively, patients can maintain a hardware device containing their root

secret key as a back-up.

In the PCE design, doctors can have the potential to store, manage and keep private the

secret keys of the patient. A hierarchical system utilizes the advantage that, in most of the

situations this only requires one secret key for each patient. Still, the doctor can avoid this hectic

process and download the encrypted keys from servers whenever in need of the patient record

and delete the decrypted secret key after decryption of the record. The PCE design concentrates

on availing complete control to patient to manage the individuals to access the data. Thus, the

patient is responsible to decide accurately the providers who should access which part of the

record. This is the strategy used in all electronic medical records which use access control as the

approach to ensure the privacy of the patient (Baek, 2019). To enable the patient to navigate the

different choices employed in the system, the system should embrace different alternatives

describing default sets of keys and hierarchies to give to doctors, devices, family members

among others.
 10

To improve the public key searchable encryption PEKS scheme was developed by

Boneh. The idea behind the scheme is that each key world is also uploaded once when a file is

uploaded. Encryption in the PEKS approach is stored together with files that has been encrypted

as a tag. Therefore, the person owning the right decryption key can derive a trapdoor for a

specific keyword allowing the server to check whether a specific tag is a match that happens with

revealing the search keyword. Thus, the PEKS scheme is combined with the hierarchical

encryption design applied in PCE. In this case, the PEKS keyword encryption uses the right

encryption key given for the presented category and the decryption key corresponding to this

category will derive the trapdoor (Zhang & Poslad, 2018). This makes it possible for anyone who

decrypts a given category to be able to do any search over the same category. To hide labels in a

public key scheme it is important to first make sure that the PCE encryption, as well as the

encryption which is searchable, hides any data on that category.

To improve on the symmetrical key PCE similar hierarchical set of categories

constructed, but they only enable secret key encryption. This will result in construction

established basically from easy symmetrical key primitives. Developing asymmetric key

searchable encryption that supports processing is crucial for the electronic medical record. This

case involves a single user, who can encrypt a set of files together with an index giving a

specification of the documents where the keyword is located. Then both the encrypted

documents and index are sent to the server for storage, the patient can use the secret key to

derive search trapdoors for specific keywords (Zhang & Poslad, 2018). The trapdoors conceal

any information regarding the corresponding keywords, but when combined with the encrypted

index the documents containing those keywords can be determined. The main idea of combining
 11

such a system with the symmetrical key PCE is to store the index for every category. Therefore,

anyone owning the decryption key for that category can derive the appropriate trapdoors.

Conclusion

Through the generation of both encryption and decryption keys, electronic medical

records are provided with proper storage, integrity, confidentiality. This enables healthcare

providers and patients to upload as well as retrieve records whenever they are in need. Different

algorithms are employed to generate encryption and decryption keys in the EMR. An algorithm

used to derive a key is applied to take a secret key for a specific category and the location of one

of the documents subcategories and generate a different private key for that subcategory. Then

the specific record is encrypted by the encryption algorithm. To access the records a decryption

algorithm is used to decrypt the documents by applying the decryption key. Cryptography

protects electronic medical records provided correctness and security of encryption together with

decryption is ensured.

References

Baek, S. (2019). Blockchain-based Electronic Medical Record Sharing Framework Using

Ciphertext Policy Attribute-Based Cryptography for patient's anonymity. Convergence

security journal, 19(1), 49-60.

Dubovitskaya, A., Xu, Z., Ryu, S., Schumacher, M., & Wang, F. (2017). Secure and trustable

electronic medical records sharing using blockchain. In AMIA annual symposium

proceedings (Vol. 2017, p. 650). American Medical Informatics Association.

Shahnaz, A., Qamar, U., & Khalid, A. (2019). Using blockchain for electronic health records.

IEEE Access, 7, 147782-147795.

Vimalachandran, P., Wang, H., Zhang, Y., Zhuo, G., & Kuang, H. (2017, October).

Cryptographic access control in electronic health record systems: a security implication.

In International Conference on Web Information Systems Engineering (pp. 540-549).

Wu, S., & Du, J. (2019, January). Electronic medical record security sharing model based on

blockchain. In Proceedings of the 3rd International Conference on Cryptography,

Security, and Privacy (pp. 13-17).

Zhang, X., & Poslad, S. (2018, May). Blockchain support for flexible queries with granular

access control to electronic medical records (EMR). In 2018 IEEE International

conference on communications (ICC) (pp. 1-6). IEEE.